{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-linux-teacher-en","result":{"data":{"markdownRemark":{"id":"94fdd6ff-bca3-5397-b419-ec94ec1157af","html":"
\n

This page has been machine-translated from the original page.

\n
\n

I use the penetration-testing learning platform “Hack The Box” to study security.\nAt the time of writing, my rank on Hack The Box is ProHacker.

\n\n \n \n \n \n \n \"Hack\n \n \n \n

This time I am writing up the retired HackTheBox machine “Teacher”.

\n\n

About This Article

\n

The content of this article is not intended to encourage acts that are contrary to social order.

\n

Please note that attempting attacks against environments other than those you own or are authorized to use may violate the Act on the Prohibition of Unauthorized Computer Access (the Unauthorized Access Prohibition Act).

\n

All statements here are my own and do not represent any organization I belong to.

\n\n

Table of Contents

\n\n

Enumeration

\n

As usual, I started with a port scan.

\n
$ sudo sed -i 's/^[0-9].*$RHOST/10.10.10.153  $RHOST/g' /etc/hosts\n\n$ nmap -sV -sC -Pn -T4 $RHOST| tee nmap1.txt\nNmap scan report for $RHOST (10.10.10.153)\nHost is up.\nAll 1000 scanned ports on $RHOST (10.10.10.153) are in ignored states.\nNot shown: 1000 filtered tcp ports (no-response)\n\n$ nmap -p- $RHOST -Pn -sC -sV -A  | tee nmap_max.txt
\n

It looked like all ports in the fast scan were being filtered.

\n

With everything filtered, it was impossible to tell whether any ports were actually open.

\n

I also tried scanning all ports, but unfortunately those were filtered as well.

\n

I thought I was completely stuck, but it turned out to be a silly mistake — I simply was not connected to the VPN.

\n

After connecting to the VPN, I found the following open ports:

\n
PORT      STATE    SERVICE         VERSION\n80/tcp    open     http            Apache httpd 2.4.25 ((Debian))\n|_http-title: Blackhat highschool\n|_http-server-header: Apache/2.4.25 (Debian)\n1069/tcp  filtered cognex-insight\n1084/tcp  filtered ansoft-lm-2\n1085/tcp  filtered webobjects\n1434/tcp  filtered ms-sql-m\n2222/tcp  filtered EtherNetIP-1\n3766/tcp  filtered sitewatch-s\n5544/tcp  filtered unknown\n5815/tcp  filtered unknown\n6004/tcp  filtered X11:4\n7402/tcp  filtered rtps-dd-mt\n8087/tcp  filtered simplifymedia\n8181/tcp  filtered intermapper\n9071/tcp  filtered unknown\n9099/tcp  filtered unknown\n9415/tcp  filtered unknown\n9929/tcp  filtered nping-echo\n15004/tcp filtered unknown\n32776/tcp filtered sometimes-rpc15\n32782/tcp filtered unknown\n49167/tcp filtered unknown\n65000/tcp filtered unknown
\n

For now, I connected to the open port 80 and continued enumeration.

\n

Port 80 appeared to be running some kind of CMS site.

\n

\n \n \n \n \n \n \n \n \n

\n

Since there were no obvious clues, I ran feroxbuster, which revealed a redirect when accessing the /moodle path.

\n
$ feroxbuster -u http://$RHOST/ -x php -w /usr/share/wordlists/raft-medium-directories.txt --no-recursion | tee feroxbuster.txt\n\n301      GET        9l       28w      317c http://$RHOST/moodle => http://$RHOST/moodle/
\n

Opening that address in a browser redirected to http://teacher.htb/moodle/, so I updated the hosts file and accessed the page.

\n

This connected me to what appeared to be a Moodle administration site.

\n

\n \n \n \n \n \n \n \n \n

\n

I wanted to look for exploits from here, but it turned out that the Moodle version can only be viewed by accounts with teacher-level privileges or higher.

\n

Reference: Moodle 3.8 - Unrestricted File Upload - PHP webapps Exploit

\n

\n \n \n \n \n \n \n \n \n

\n

I spent a while trying various exploits from here, but none of them landed.

\n

Going back to enumeration, I noticed that the file images/5.png in the gallery appeared as blank space, which caught my attention.

\n

\n \n \n \n \n \n \n \n \n

\n

This gave me a shell, but the privileges were still low, so I continued enumeration from here.

\n

Getting a User

\n

Browsing around, I found DB credentials embedded in a file called config.php.

\n

I extracted a database dump with the following command:

\n
$ mysqldump -u 'root' -p -h 'localhost' 'moodle' > /tmp/output.txt
\n

Going through the DB contents, I found that in addition to Giovanni (whose credentials I had obtained), there was an Admin user, and password hashes were stored in the DB.

\n
Admin $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2\ngiovanni $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO
\n

I spent a while trying to crack the Admin hash, but on closer inspection I noticed there was another user registered called Giovannibak.

\n

\n \n \n \n \n \n \n \n \n

\n

The script looked like this:

\n
#!/bin/bash\ncd /home/giovanni/work;\ntar -czvf tmp/backup_courses.tar.gz courses/*;\ncd tmp;\ntar -xf backup_courses.tar.gz;\nchmod 777 * -R;
\n

The key observation: after moving to the tmp directory, chmod 777 * -R recursively changes permissions on everything there.

\n

This means that by removing the tmp directory and replacing it with an arbitrary symbolic link, I could cause chmod 777 -R to apply to every file in any target directory.

\n

Any directory would work, but since I wanted to get a shell from backup.sh running as root, I set the symlink as ln -s /usr/bin tmp.

\n

This let me overwrite backup.sh and obtain a root shell.

","fields":{"slug":"/hackthebox-linux-teacher-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-08-06","description":"A writeup of the retired HackTheBox machine 'Teacher'.","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Teacher (Easy/Linux)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-linux-teacher-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}